V-73373 - Code does not take in account all GPO's

Question

V-73373 - Code does not take in account all GPO's

Closed this issue 3 years ago · 1 comments

Looking at this Code it does not check if there are more GPO's than the default two. I looked at the Fix and Check text. If any standard user accounts or groups have greater than Allow permissions of Read and Apply group policy, this is a finding. Need to review possibilities on how to get all GPO's in a file and then run a check

Answer 1 · 2021-08-23T18:51:05.000Z

The existing code did check all GPOs (in addition to the default two), however, you are correct about it not leading to a finding with incorrect permissions. I modified permissions for a new GPO and it didn't lead to a finding even with Full Control given to users that shouldn't have it. So I've changed the control to a manual review (similar to V-93033). Thank you @burnsjared0415